A secure computing platform is equipped with a Trusted Platform Module (TPM). The TPM provides a physically-secure computing environment that exposes a limited number of functions to the platform. One such function is reliable attestation of the platform's execution state. Another function is cryptographic sealing, which protects data by encrypting it with a physically-secure key by and binding use of the encrypted data to a particular platform execution state. Software that runs on the platform can leverage these TPM functions to create a secure execution environment on the platform.
The fact that the TPM implements a limited number of functions helps to make the TPM secure. Since the TPM implements only a small number of functions, the behavior of the TPM can be well-understood, thereby reducing the chance that unexpected security vulnerabilities could be found and exploited. However, there are some functions that it would make sense to perform inside a physically-secure environment, but that the TPM does not provide. While the TPM's exposed functions can be leveraged to provide general security for an execution environment on the platform, operations that take place on the platform outside of the TPM do not enjoy the physical security that the TPM provides. Once code or data is on the platform outside of the TPM, that code or data is subject to certain kinds of software and hardware attacks that could not be mounted in a physically-secure execution environment. Theoretically, a TPM could be constructed that provides a general-purpose execution environment so that some arbitrary code or data could be executed within the TPM's physical security barrier. However, TPMs that provide such general-purpose execution environments have not been available.
Physically secure execution environments other than the TPM do exist. However, devices that implement these environments are not physically bound to the host platform in the way that the TPM is. The TPM's ability to provide reliable attestation of, and sealing to, the platform's execution state is based on the nature of the TPM's physical binding to the platform. In particular, the TPM—including the registers that store execution state measurement—are reset whenever the platform is reset, and the identity of software that is running on the platform (which forms the basis of the measurements that are taken) is recorded by platform firmware. Moreover, since the TPM has a permanent physical connection to the platform, when the platform communicates with the TPM there is no concern that the TPM is being impersonated by some other component. By contrast, non-TPM devices that implement physically-secure execution environments are detachable from the platform, so imposter attacks are a concern when communicating with these detachable devices. Additionally, the resetting of a detached device is not linked to the resetting of the host platform, so an external device cannot reliably measure platform state acquired since the host platform's last reset.
Thus, using an external device to implement TPM-like security for a platform presents certain challenges.